Re: Achieving trusted TLS connection

Wed, 31 Jan 2018 12:32:32 -0800 


> On Jan 31, 2018, at 2:46 PM, Danny Horne <da...@trisect.uk> wrote:
> 
> I didn't think achieving an inbound trusted TLS connection required
> DANE, merely a trusted certificate (which was verifiable through my
> trusted CA file.
> 
> Maybe I misunderstood the documentation.

I see, sorry, I thought you were looking for DANE auth.  For
"trusted" client connections you'll need a suitable CApath
that includes the relevant trust-anchors and any intermediate
CAs that the sending client might have left out in error.

You report settings of:

  smtpd_tls_CApath = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
  smtpd_tls_ask_ccert = yes
  smtpd_tls_ccert_verifydepth = 2

Surely "ca-bundle.trust.crt" is a file not a directory.  This would work as
a "CAfile", but I very much recommend that you use CApath instead.  Point
your CApath at the directory with all the certs, that "hashed" via
"c_rehash" or similar.  If running smtpd(8) chrooted, make sure there's
a copy of the CApath directory inside the jail.

When mx1.mailbox.org is the receiving MTA, its certificate chain is:

  mx1.mailbox.org[80.241.60.212]: pass: TLSA match: depth = 0, name = 
*.mailbox.org
    TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384
    name = *.mailbox.org
    name = mailbox.org
    depth = 0
      Issuer CommonName = SwissSign Server Silver CA 2014 - G22
      Issuer Organization = SwissSign AG
      notBefore = 2014-12-04T12:05:04Z
      notAfter = 2019-12-04T12:05:04Z
      Subject CommonName = *.mailbox.org
      pkey sha256 [matched] <- 3 1 1 
4758af6f02dfb5dc8795fa402e77a8a0486af5e85d2ca60c294476aadc40b220
    depth = 1
      Issuer CommonName = SwissSign Silver CA - G2
      Issuer Organization = SwissSign AG
      notBefore = 2014-09-19T20:36:43Z
      notAfter = 2029-09-15T20:36:43Z
      Subject CommonName = SwissSign Server Silver CA 2014 - G22
      Subject Organization = SwissSign AG
      pkey sha256 [nomatch] <- 2 1 1 
989c1c480d561396df0ac439a3bf70182bdab2fc1d56cce7665a91d47dd83dd2
    depth = 2
      Issuer CommonName = SwissSign Silver CA - G2
      Issuer Organization = SwissSign AG
      notBefore = 2006-10-25T08:32:46Z
      notAfter = 2036-10-25T08:32:46Z
      Subject CommonName = SwissSign Silver CA - G2
      Subject Organization = SwissSign AG
      pkey sha256 [nomatch] <- 2 1 1 
9318226f8c83afe47f5f47c24f59ce12dba8c73b181bee6b2ea1f40a06bc1869


Is "SwissSign Silver CA - G2" included in your "ca bundle"?

-- 
        Viktor.

Reply via email to